External Data Increases Information Governance Risks


by Matthew Bernstein, Information Management Strategist at MC Bernstein Data

Companies are more and more reliant on finding value in their data, while regulators, politicians, and the public are increasing their scrutiny of how companies use consumers’ data.


Massive amounts of available data, commoditized IT infrastructure (e.g., storage and compute), and presumed value to be extracted create incentives to keep, store, and process everything. At the same time, Data Privacy regulations are burgeoning, data protection and retention rules are expanding, and consumer rights and expectations are increasing. Meeting the increased information governance, or “IG,” challenges that come from the intersection of these developments is made more difficult by the prevalence of “externalized” data in every company’s operations. In this article we examine some of these increasing IG obligations, highlight some of the risks posed by externalizing critical information resources, and identify good IG practices to address the situation.


In the U.S., industry sector regulation has been the rule in the Data Privacy arena. Some of the industries subject to sector-specific Data Privacy rules include consumer credit, education, telecommunications, advertising, and health care. But the profile and span of privacy concerns are growing as evidenced by the European General Data Protection Regulation (GDPR), the State of California’s Consumer Privacy Act (CCPA), draft U.S. federal legislation, and public focus on the use of data. This is all on top of existing IG risks and obligations, such as records management, information security, and eDiscovery.




The increasing trend of ”externalization” and outsourcing of data management poses a challenge to firms given the diversity of systems and applications used by many companies. Identifying third-party risks is challenging because almost every widely used communication, processing, and storage platform (including cloud services, collaboration and messaging tools, and SaaS applications) operates outside the four walls of the company.


Companies are likely to use tools like Box, Slack, LinkedIn, and Twitter to communicate both internally and externally. Enterprise Management solutions like Salesforce and Workday, and cloud providers like AWS, Microsoft Azure, and GoogleCloud are the platforms of choice for fast developing companies. But, from the regulator’s perspective, responsibility for the management of this data remains with the business user, regardless of the fact that the data is external. Awareness of, and responsibility for, these Data Privacy risks cannot be outsourced.


More concerning is the fact that service providers are typically NOT acting on their own to develop and implement Data Privacy policies. Solutions and services may provide safeguards and make functionality available, but it is up to the user firm to determine the rules it is subject to, identify data subject to those rules, instruct the system or service provider to act on those rules, and assure adherence.


To address the risks in these situations, firms should establish a Data Privacy Risk framework, based on the four IG operating framework “building blocks” below. Resources should be scaled appropriately to the size and scope of the firm and need not entail large enterprise IT solutions.


Regulatory Compliance
  • Understand what Data Privacy requirements (laws and regulations) apply to the firm’s data
  • Identify data subject to Data Privacy requirements in processes, external systems, and data stores


Information Lifecycle Management
  • Implement processes to support classification, retention, archiving, and disposal of unneeded personal data
  • Confirm that processing of personal data is in compliance with laws and regulations
  • Ensure personal data is properly safeguarded by reducing the volume of non-essential information and by classifying, compartmentalizing, and encrypting sensitive data, as well as limiting access


  • Institute controls to assure vendors are aware of and adhere to applicable firm policies


Information Governance Technology
  • Implement appropriate technology to manage personal data according to policies


Firms which take an informed approach and employ robust compliance measures will mitigate the risks of regulatory enforcement action. Those who do not may find themselves in the crosshairs of the new data protection regimes.


Please note: This article contains the sole views and opinions of Matthew Bernstein and does not reflect the views or opinions of Guidepoint Global, LLC (“Guidepoint”). Guidepoint is not a registered investment adviser and cannot transact business as an investment adviser or give investment advice. The information provided in this article is not intended to constitute investment advice, nor is it intended as an offer or solicitation of an offer or a recommendation to buy, hold or sell any security. Any use of this article without the express written consent of Guidepoint and Matthew Bernstein is prohibited.


Learn how Guidepoint can help with your research needs